diff options
| -rwxr-xr-x | LedgerSMB/AM.pm | 44 | ||||
| -rwxr-xr-x | bin/mozilla/am.pl | 6 |
2 files changed, 31 insertions, 19 deletions
diff --git a/LedgerSMB/AM.pm b/LedgerSMB/AM.pm index adae27b8..142111c1 100755 --- a/LedgerSMB/AM.pm +++ b/LedgerSMB/AM.pm @@ -1230,10 +1230,35 @@ sub update_recurring { } +sub check_template_name { + + my ($self, $myconfig, $form) = @_; + + my @allowedsuff = qw(css tex txt html xml); + if ($form->{file} =~ /\.\./){ + $form->error("Directory transversal not allowed."); + } + my $whitelisted = 0; + for (@allowedsuff){ + if ($form->{file} =~ /$_$/){ + $whitelisted = 1; + } + } + if (!$whitelisted){ + $form->error("Error: File is of type that is not allowed."); + } + + if ($form->{file} !~ /^$myconfig->{templates}/){ + $form->error("$!: $form->{file}") unless $form->{file} =~ /^css/; + } +} + + sub load_template { - my ($self, $form) = @_; + my ($self, $myconfig, $form) = @_; + $self->check_template_name(\%$myconfig, \%$form); open(TEMPLATE, "$form->{file}") or $form->error("$form->{file} : $!"); while (<TEMPLATE>) { @@ -1247,22 +1272,9 @@ sub load_template { sub save_template { - my ($self, $form) = @_; - - my @allowedsuff = qw(css tex txt html xml); - if ($form->{file} =~ /\.\./){ - $form->error("Directory transversal not allowed."); - } - my $whitelisted = 0; - for (@allowedsuff){ - if ($form->{file} =~ /$_$/){ - $whitelisted = 1; - } - } - if (!$whitelisted){ - $form->error("Error: File is of type that is not allowed."); - } + my ($self, $myconfig, $form) = @_; + $self->check_template_name(\%$myconfig, \%$form); open(TEMPLATE, ">$form->{file}") or $form->error("$form->{file} : $!"); # strip
diff --git a/bin/mozilla/am.pl b/bin/mozilla/am.pl index 5a9967e9..9be1c020 100755 --- a/bin/mozilla/am.pl +++ b/bin/mozilla/am.pl @@ -1598,7 +1598,7 @@ sub display_form { $form->error("$!: $form->{file}") unless -f $form->{file}; - AM->load_template(\%$form); + AM->load_template(\%myconfig, \%$form); $form->{title} = $form->{file}; @@ -1643,7 +1643,7 @@ $form->{body} sub edit_template { - AM->load_template(\%$form); + AM->load_template(\%myconfig, \%$form); $form->{title} = $locale->text('Edit Template'); # convert   to &nbsp; @@ -1691,7 +1691,7 @@ $form->{body} sub save_template { - AM->save_template(\%$form); + AM->save_template(\%myconfig, \%$form); $form->redirect($locale->text('Template saved!')); } |